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EXECUTIVE SUMMARY 


This survey report presents the results of a survey undertaken in the United States as part of a larger 
survey of organizations in five additional geographies — the United Kingdom, France, Germany, 
Australia and Singapore — on ransomware and other critical security issues. The survey was 
conducted with small- to mid-sized businesses during June 2017 with 179 organizations in the United 
States and 175 in each of the other five nations. In order to qualify for participation in the survey, 
respondents had to be a) responsible and/or knowledgeable about cybersecurity issues within their 
organization, and b) the organizations surveyed could have no more than 1,000 employees. A total of 
22 questions were in included in the survey. Results from the other surveys are available in separate 
national and regional survey reports. 


TRE AFTERMATH OF RANSOMWARE 
The impact of ransomware on small to mid-sized businesses can be crippling 
Among small to mid-sized organizations that have experienced a successful infiltration of the 
corporate network by ransomware, 20 percent reported that they had to cease business 
operations immediately, and 12 percent lost revenue, both slightly lower than the global 
average. 


e Ransom demands are not the small business killer, downtime is. Most small to mid- 
sized businesses impacted by ransomware experienced hours of downtime 
We found that for slightly more than one-half of the organizations that were infected with 
ransomware, the ransom demanded was $1,000 or less. In fact, only 17 percent of ransom 
demands were in excess of $10,000 and only two percent were for more than $50,000. 
However, our research also found that for 20 percent of impacted organizations, a ransomware 
infection caused 25 or more hours of downtime, with some organizations reporting that it caused 
systems to be down for more than 100 hours. The amount of high levels of ransomware-induced 
downtime for US-based organizations was slightly higher than the global average. 


¢ For many, the source of ransomware cannot be identified 
The most common source of ransomware infections in US-based organizations are related to 
email use: 37 percent were from a malicious email attachment and 27 percent were from a 
malicious link in an email. Organizations in the United States are three times more likely than the 
global average to know the source of the infection: only nine percent of American organizations 
did not know the source of the ransomware infection versus 27 percent globally. 


e Ransomware infections often spread to other endpoints once they take hold 
Our research found that in many ransomware attacks the infection is not limited to a single 
endpoint, but can spread to others, as well. In fact, in some cases the infection spread to every 
endpoint on the network. Organizations in the United States were more likely than the global 
average to see ransomware infections spread to more than just the initial endpoint that was 
infected, but not every endpoint, whereas US organizations were twice as likely to experience 
every endpoint on the network become infected. 


ATTITUDES ABOUT PAYING RANSOMWARE 
Most small to mid-sized businesses do not believe they should pay ransomware 
demands 
We found that a sizeable majority of respondents believe that ransomware demands should 
never be paid, while most of the remaining organization believe they should be paid if the 
encrypted data is of value to the organization. Only a tiny minority believe that ransom demands 
should always be paid, although American organizations are more than twice as likely to believe 
they should always be paid. 


¢ Among those that did not pay the ransom, many lost files as a result 
We found that among US-based organizations that did not pay the ransom that was demanded 
of them, 32 percent lost files, matching almost exactly the global average. 


e Most organizations want addressing ransomware to be a high priority, but they still 
lack confidence in their ability to deal with it 
The vast majority of organizations give a high or very high priority to addressing the 
ransomware problem (80 percent of the American organizations surveyed versus 75 percent 
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globally); to investing in resources, technology and funding to address the problem (69 percent 
compared to 67 percent globally); and to investing in education and training about ransomware 
for end users (73 percent versus 53 percent globally). 





Despite these investments, about one-half of the American organizations surveyed expressed 
little to only moderate confidence in their ability to stop a ransomware attack. In fact, only seven 
percent of organizations surveyed felt “very confident” in their ability to thwart ransomware 
attacks, lower than the global average of 10 percent. 


ined eel TECHNOLOGY TRENDS 
Small to mid-sized businesses believe fighting ransomware is more about training 
people than deploying technology, but they want both 
When asked if ransomware should be addressed only through technology or only through 
training, more organizations believe the latter will be more effective in addressing the 
ransomware problem, which is contrast to the global view that technology is more effective. 
Although the remaining 88 percent of survey respondents believe that a mix of technology and 
training are necessary, American organizations tilt more toward training-based approaches as 
the more effective approach. 


¢ However, current technology solutions do not seem to be solving the problem 
Our research found that organizations have implemented a variety of solutions to address their 
ransomware concerns, either before or after the fact. These include traditional email security 
solutions, regular backups to be able to restore to a known good state, network segmentation, 
and ransomware-specific solutions, either on-premises and/or in the cloud. However, having 
these defenses in place does not seem to be enough. While more than one-third of small to mid- 
sized businesses in the United States claim to be running anti-ransomware technologies (higher 
than the global average), 38 percent of businesses surveyed still experienced a ransomware 
attack. 


ABOUT THIS SURVEY AUDIENCE 
The distribution of industries surveyed in the United States is shown in Figure 1. These organizations 
had a mean of 391 employees and 357 email users. 


Figure 1 
Distribution of Organizations Surveyed 


Industry YO 


Source: Osterman Research, Inc. 
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RANSOMWARE IS A CRITICAL PROBLEM 
RANSOMWARE IN THE CONTEXT OF OTHER SECURITY THREATS 


Ransomware is an increasingly serious issue, and the problem is getting worse over time. As shown 
in Figure 2, ransomware is a “top three” problem for organizations in the United States, cited by 74 


percent of those surveyed as a problem about which they are “concerned” or “extremely concerned”. 


Our research found that the average level of concern about the issues shown in Figure 2 (those 
indicating that they are “concerned” or “extremely concerned”) was within a fairly tight band across 
all of the geographies we surveyed, ranging from a low of 51.9 percent in Germany to a high of 58.5 
percent in the United States. However, the range for the concern over ransomware varied more 
significantly, from a low of 57.7 percent in Australia to a high of 78.9 percent in France, with the 
United States ranking second at 74.2 percent. 


Figure 2 
Concern About Various Security Threats 
Percentage Responding Concerned or Extremely Concerned 


Phishing through email 


80% 


Malware infiltration through email 


75% 


Ransomware 


74% 


Malware infiltration via web browsing 


71% 





Insider theft of data 42% 
Phishing through social media 42% 
Physical theft of laptops and mobile devices 26% 





Source: Osterman Research, Inc. 
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HOW COMMON ARE RANSOMWARE AND OTHER THREATS? 

As shown in Figure 3, most organizations in the United States have experienced various types of 
security attacks and data breaches over the past year, with many organizations experiencing some 
type of security-related incident on a more than monthly basis. Also of note is that 38 percent of 
organizations have experienced a ransomware attack during the last 12 months, with most of those 
having been victimized seeing anywhere from one to five such attacks during the past year. The US 
companies we surveyed actually rank a bit better globally, with slightly fewer having been victimized 
by various attacks and data breaches, but worse from a ransomware perspective (38 percent of US 
companies victimized versus 35 percent globally). 





Figure 3 
Attacks, Breaches and Ransomware Infiltrations During the Previous 12 Months 
62% m Attacks 
E Breaches 
Attacks or breaches that 
involved ransomware 
40% 


37% 


22% 
21% 


16% 


o, 
isd 3% 2% 


0% 





None 1to5 6 to 10 11 to 20 More than 20 


Source: Osterman Research, Inc. 
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CONFIDENCE IN ADDRESSING THE RANSOMWARE PROBLEM 

Organization confidence among decision-makers about their ability to stop a ransomware attack is 
not very high. As shown in Figure 4, 12 percent of organizations has little confidence that they can 
stop a ransomware attack that has infiltrated their network, and another 37 percent are only 
“somewhat” confident in their ability to stop such attacks. Only one-half of organizations are “fairly” 
or “very” confident that it can thwart a ransomware attack. Compared to the global results, US 
companies are less confident: 12 percent of US companies with no confidence versus 10 percent 
globally, and 37 percent not too confident versus 35 percent. 


Figure 4 
Level of Confidence That a Ransomware Attack Can be Stopped 


m Not confident at all 

E Not too confident 

= Somewhat confident 

E Fairly confident 
Very confident 


43% 





Source: Osterman Research, Inc. 
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HOW ORGANIZATIONS RESPOND TO RANSOMWARE AND 
HOW THEY’RE IMPACTED 
THE IMPACTS OF RANSOMWARE CAN BE DEVASTATING 


The impact of ransomware can be damaging to an organization. As shown in Figure 5, our research 
found that while most of the ransomware incidents that have been experienced involved just the 
endpoint, more 40 percent of these infections spread to other devices, and for four percent of 
organizations the ransomware infection impacted every device on the network. The spread of 
ransomware was worse among American companies than across all of the six geographies we 
surveyed. For example, the spread of ransomware to every device on the network was twice as bad 
in the United States, and “only” 35 percent of organizations globally experienced a spread of 
ransomware beyond the original entry point versus 40 percent in the United States. 


Figure 5 
Extent of the Most Serious Ransomware Attack That Has Been Experienced 





E Just the endpoint(s) 


= More than just the endpoint, 
but not every device 


Every device on the corporate 
network 





Source: Osterman Research, Inc. 


The survey found some level of variability in the proportion of endpoints that were infected by the 
most serious ransomware infection that had impacted organizations. For example, organizations in 
Germany and the United States experienced the greatest proportion of network/every endpoint-wide 
infections at 5.0 percent and 4.3 percent, while no organizations surveyed in France or Singapore 
reported ransomware infections that impacted every device on the network. By contrast, 68.3 
percent of French organizations reported that only a single endpoint was infected by the most severe 
ransomware infection they had experienced, whereas this figure was only 50.7 percent for Australian 
organizations. 
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Infections from ransomware attacks create a wide range of consequences. As shown in Figure 6, 
individuals whose computers were infected (or who suffered the follow-on impacts of a co-worker or 
colleague being infected) felt the impact of ransomware by losing access to their files, which 
happened to nearly one-half of the companies infected with ransomware. However, for 20 percent 
organizations, their business stopped immediately, either because they had to deal with the infection 
and/or because they lost access to critical files needed to keep the business operational. Other 
impacts from ransomware included employees using personally owned devices like smartphones and 
tablets instead of corporate systems, lost revenue and, in extreme cases, lives were endangered from 
the ransomware infection. 


Figure 6 
Impact of the Most Serious Ransomware Attack That Has Been Experienced 


























People were personally impacted (customers, 
students, vendors, staff, etc.) 


It stopped business immediately Ooo 20% 


Employees used personally owned 
smartphones, tablets or laptops because 13% 


corporate systems were down 


We lost revenue i 12% 


Lives were endangered 0% 


46% 





Source: Osterman Research, Inc. 


The impact of ransomware was slightly less in the United States in the context of things like stopping 
business immediately and revenue loss, but much worse in terms of the personal impact it had on 
ransomware victims: 46 percent in the United States versus 37 percent globally. 
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As shown in Figure 7, about one-third of organizations in the United States that fell victim to Report 
ransomware had fewer than one percent of their endpoints infected, while another one-third had up 
to 25 percent infected. However, the remaining one-third had more than 25 percent of their 
endpoints infected. The situation in the United States was much worse than it was globally: 33 
percent of US organizations had more than one-quarter of their endpoints infected in their most 
serious ransomware attack versus 26 percent globally. 





Figure 7 
Proportion of Endpoints Infected in the Most Serious Ransomware Attack That Has Been 
Experienced 


o 
34% 33% 


17% 
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Source: Osterman Research, Inc. 
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Ransomware-induced is a major consequence for many ransomware infections because an infected Report 


endpoint becomes immediately unavailable. A rapid restoration of an infected endpoint can minimize 
downtime, but as shown in Figure 8, fast recovery from ransomware is not common, with most 
experiencing anywhere from one day to almost two weeks of downtime from a ransomware attack. 





Our research found that only one in six organizations had minimal downtime resulting from 
ransomware, but more than one-quarter of organizations experienced anywhere from one to eight 
hours of downtime. However, it gets much worse: 57 percent of organizations infected by 
ransomware experienced nine or more hours of downtime, with some organizations finding that they 
were down more than 100 hours because of the infection. 


Figure 8 
Downtime Experienced in the Most Serious Ransomware Attack That Has Been 
Experienced 
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Source: Osterman Research, Inc. 
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HOW DOES RANSOMWARE ENTER AN ORGANIZATION? 


The most commonly cited source of a ransomware infection was an email attachment, followed by a 
malicious link in an email. As shown in Figure 9, nearly one in ten organizations simply did not know 
the source of the most serious ransomware attack that had impacted them. Other sources included a 
malicious web site or web application, a business application, a social media tool or a USB stick. 


Figure 9 
Manner by Which Malware Entered in the Most Serious Ransomware Attack That Has 


Been Experienced 
Email attachment DE 37% 
Link in an email —_—— 7] 27% 
A Web i lt tule Peal than el 16% 
We don't know atl 9% 
Business application Ey 7% 


Social media i 4% 


USB stick QO%/ 


Source: Osterman Research, Inc. 


Interestingly, organizations infected with ransomware in the United States were much more likely to 
know the source of the infection than were organizations globally: 91 percent of organizations in the 
United States could identify the source of the infection versus only 73 percent globally. Also, email 
was a much more likely source of ransomware infection in the United States: 54 percent versus 47 
percent globally. 
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HOW DOES IT RESPOND TO RANSOMWARE? 

The length of time that elapses between the initial ransomware infection and its detection is critical 
to stopping the spread of the infection. As shown in Figure 10, 13 percent of organizations could 
detect a ransomware infection in five minutes or less. Another 31 percent could do so more in no 
more than one hour after an endpoint was infected, but more than one-half of the organizations 
surveyed in the United States required many hours or even days before they detected the problem. 
The results we discovered among organizations in the United States was somewhat better than the 
overall global results, but not by much. 


Figure 10 
Time Elapsed Before Detection in the Most Serious Ransomware Attack That Has Been 
Experienced 


33% 
23% 


31% 
13% 
B 0% 0% 


No more than 5 No morethan No more than 12 No more than a Nomorethana More than a 
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Source: Osterman Research, Inc. 
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AMOUNTS THAT CYBER CRIMINALS HAVE DEMANDED AND RESPONSES aah! 


TO THESE DEMANDS 

Most ransom demands from cyber criminals are fairly small: as shown in Figure 11, about one-half of 
these demands of small to mid-sized businesses ask for less than $1,000. However, many cyber 
criminals ask for much larger sums, with 49 percent asking for more than $1,000 and two percent 
demanding up to $150,000. The results we found for organizations in the United States were not 
appreciably different than those we discovered in the other geographies. 





Figure 11 
Amount Demanded in the Most Serious Ransomware Attack That Has Been Experienced 


E Up to $500 
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Source: Osterman Research, Inc. 





UNITED STATES 


Among organizations that were infected with ransomware, only about one in five opted to pay the 
ransomware demands, as shown in Figure 12. However, we found significant variability between the 
geographies that we surveyed. For example, only 16 percent of French and 17 percent of German 
organizations opted to pay the ransom demanded after their most severe ransomware infection, but 
43 percent of British and 46 percent of Australian organizations opted to do so. Companies in the 
United States were significantly less likely to pay ransomware demands than the global average (21 
percent versus 28 percent). 


Figure 12 


Was Ransom Paid in the Most Serious Ransomware Attack That Has Been Experienced? 





E Yes 


No 
79% 


Source: Osterman Research, Inc. 
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Among US-based organizations that chose not to pay cyber criminals’ ransom demands, about one- 
third lost files as a result of their decision not to pay, as shown in Figure 13. Here, too, we found 
significant variability among the organizations based on geography. For example, British and 
Australian organizations experienced the greatest degree of file loss from their decision not to pay — 
46 percent and 40 percent, respectively. Organizations in Germany and France were the least likely 
to lose files from their decision not to pay ransom demands. American organizations’ experience in 
losing or not losing files after not paying the ransom exactly matched the global average. 


Figure 13 
Were Files Lost in the Most Serious Ransomware Attack That Has Been Experienced 
Among Organizations That Did Not Pay the Ransom? 
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Source: Osterman Research, Inc. 
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SHOULD ORGANIZATIONS PAY RANSOMWARE DEMANDS? ea cad 


When infected by ransomware, decision makers face a difficult decision: should they pay the 
ransomware to recover their files and potentially increase their chances of being infected again by 
demonstrating a willingness to pay, or should they refuse to pay and suffer the consequences? As 
shown in Figure 14, most organizations in the United States believe, at least in general, that 
organizations should not pay ransomware demands, and a small proportion believe this occur each 
and every time they are infected. Interestingly, organizations in the United States are three times 
more likely to believe that organizations should always pay ransom demands than is the case for the 
global average. 





Figure 14 
Belief That Companies Should Pay Ransom Demands if They Are Hit With Ransomware 
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Source: Osterman Research, Inc. 





UNITED STATES 


We also asked survey respondents to personalize the decision of whether or not to pay ransom 
demands. As shown in Figure 15, the results were largely the same about the decision to pay a 
ransom whether or not respondents were answering about organizations in general or their own 
organization. Organizations in the United States were more likely to tell us that they should always 
pay ransom demands (five percent versus three percent globally) and less likely to consider whether 
payment should be evaluated on a case-by-case basis (33 percent versus 37 percent globally). 


Figure 15 
Do You Believe That Your Company Should Pay Ransom Demands If You Are Hit With 
Ransomware? 
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Source: Osterman Research, Inc. 
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THE IMPORTANCE OF ADDRESSING THE RANSOMWARE 
PROBLEM 


THE NEED TO SOLVE THE RANSOMWARE PROBLEM 

Decision makers are mostly in agreement that the ransomware problem needs to be solved and they 
are addressing it as a high priority. As shown in Figure 16, 80 percent of survey respondents give a 
“high” or “very high” priority to addressing the ransomware problem (higher than the global average 
of 75 percent); 73 percent give investing in resources, technology and funding to address 
ransomware this high a priority (versus 67 percent globally); and 69 percent consider that investing 
in user education and training about ransomware needs to be a high or very high priority (versus 53 
percent globally). 


Figure 16 
Priorities for Addressing Various Aspects of the Ransomware Problem 
Percentage Responding a High or Very High Priority 
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Source: Osterman Research, Inc. 
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IS SOLVING RANSOMWARE A HUMAN OR TECHNOLOGY ISSUE? 

The debate about how best to solve the ransomware problem is an ongoing issue: should the 
primary or only focus be on user training, or should the focus be primarily exclusively on a 
technology-oriented approach? As shown in Figure 17, six percent of the organizations surveyed 
believe ransomware can be addressed properly only through a technology-focused approached, while 
another 23 percent believe that the problem is best addressed mostly using anti-ransomware 
technology. By contrast, 39 percent of respondents believe that the primary focus of anti- 
ransomware approaches should be directed toward training users. 


Figure 17 
Extent to Which Organizations Believe That Solving the Ransomware Problem is a 
Human vs. Technology Issue 
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Source: Osterman Research, Inc. 


Organizations in the United States are significantly more focused on security awareness training than 
organizations globally. For example, while 39 percent of organizations globally believe that 
addressing ransomware is primarily a technology-focused issue versus 29 percent in the United 
States. The opposite is true with regard to security awareness training: 39 percent of American 
organizations believe in a primarily training-based approach to deal with ransomware versus 30 
percent globally. 
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THE ROLE OF SECURITY AWARENESS TRAINING 

As shown in Figure 18, ten percent of organizations in the United States do not conduct security 
awareness training that specifically addresses ransomware. Among the 80 percent of US 
organizations that conduct some form of training, most conducted ransomware-related security 
awareness training multiple times per year, with 22 percent of organizations offering this training at 
least once per quarter or more often. Despite the greater focus of organizations in the United States 
on security awareness training to deal with ransomware relative to the global results, slightly fewer 
organizations actually conduct this type of training today. 


Figure 18 
Do Employees Go Through Security Awareness Training that Specifically Mentions 
Ransomware and Frequency of This Training 
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TECHNOLOGIES/PROCESSES IN PLACE TO ADDRESS RANSOMWARE 

Most of the US-based organizations we surveyed have deployed email security to address 
ransomware and have implemented regular, on-premises backup of data so that they can restore 
ransomware-infected machines to a known good state as quickly as possible, as shown in Figure 19. 
Many organizations also have implemented network segmentation, the use of outsourced security 


providers, on-premises ransomware-detection solutions, and regular, cloud-based backup capabilities. 


Figure 19 
Technologies and Processes in Place to Address Ransomware 
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Source: Osterman Research, Inc. 


Most of the US-based organizations we surveyed have deployed email security to address 
ransomware and have implemented regular, on-premises backup of data so that they can restore 
ransomware-infected machines to a Known good state as quickly as possible, as shown in Figure 19. 
Many organizations also have implemented network segmentation, the use of outsourced security 


providers, on-premises ransomware-detection solutions, and regular, cloud-based backup capabilities. 
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ABOUT MALWAREBYTES 


Malwarebytes is the next-gen cybersecurity company that millions worldwide trust. Malwarebytes 
proactively protects people and businesses against dangerous threats such as malware, ransomware, 
and exploits that escape detection by traditional antivirus solutions. The company’s flagship product 
combines advanced heuristic threat detection with signature-less technologies to detect and stop a 
cyberattack before damage occurs. More than 10,000 businesses worldwide use, trust, and 
recommend Malwarebytes. Founded in 2008, the company is headquartered in California, with offices 
in Europe and Asia, and a global team of threat researchers and security experts. For more 
information, please visit us at http://www.malwarebytes.com/. 





Malwarebytes founder and CEO Marcin Kleczynski started the company to create the best disinfection 
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